Jira (PUP-9459) Create SSL state machine for generating a client cert

3 views
Skip to first unread message

Josh Cooper (JIRA)

unread,
Jan 23, 2019, 6:42:03 PM1/23/19
to puppe...@googlegroups.com
Josh Cooper created an issue
 
Puppet / New Feature PUP-9459
Create SSL state machine for generating a client cert
Issue Type: New Feature New Feature
Assignee: Unassigned
Created: 2019/01/23 3:41 PM
Priority: Normal Normal
Reporter: Josh Cooper

Create an SSL state machine for loading/generating a private key, loading/submitting a CSR, and loading/downloading a client cert. The state machine should verify the consistency of the data before committing changes to disk and moving to the next state. For example, if we download the client cert, but its public key doesn't match our private key, then the cert should be discarded and an error generated. Connections should always authenticate the server (VERIFY_PEER) and never downgrade to VERIFY_NONE. The state machine should generate an SSLContext initialized with the CA certs, CRL bundle, client cert and private key so that all future connections are mutually authenticated.
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Atlassian logo

Josh Cooper (JIRA)

unread,
Feb 20, 2019, 5:40:04 PM2/20/19
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Fix Version/s: PUP 6.4.0

Josh Cooper (JIRA)

unread,
Feb 22, 2019, 12:58:04 PM2/22/19
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Sprint: Coremunity Hopper

Josh Cooper (JIRA)

unread,
Mar 7, 2019, 5:31:02 PM3/7/19
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Sprint: Coremunity Hopper Platform Core KANBAN

Josh Cooper (JIRA)

unread,
Mar 11, 2019, 12:29:03 PM3/11/19
to puppe...@googlegroups.com
Josh Cooper assigned an issue to Josh Cooper
Change By: Josh Cooper
Assignee: Josh Cooper

Josh Cooper (JIRA)

unread,
Mar 12, 2019, 12:46:04 PM3/12/19
to puppe...@googlegroups.com
Josh Cooper commented on New Feature PUP-9459
 
Re: Create SSL state machine for generating a client cert

Acceptance criteria

  1. Private key should have permissions based on Puppet[:hostprivkey]. When running on a puppetserver host, the private key and client cert must be owned by the puppet user so it is readable by puppetserver.
  2. The state machine should download a missing CA
  3. If Puppet[:certificate_revocation] = :leaf or :chain, then the state machine should download a missing CRL.
  4. If Puppet[:certificate_revocation] = false, then the agent should not download or load a CRL. It should successfully connect to the server, even if the server's cert has been revoked.
  5. Calling Puppet::SSL::Host.localhost should run the client state machine, as there is existing code relying on that behavior: https://github.com/puppetlabs/puppet-agent-bootstrap/blob/master/lib/puppet/face/bootstrap.rb#L50
  6. The generated CSR should contain custom_attributes and extension_requests if specified in Puppet[:csr_attributes]. The former are only added to the CSR. The latter are added to the CSR and copied to the signed client cert.
  7. The client state machine should work when autosigning is enabled
  8. If autosigning is disabled, and the agent should wait for Puppet[:waitforcert] seconds and try again. When the CSR is next signed, the agent should download the cert and finish its run.
  9. If Puppet[:waitforcert] = 0 or Puppet[:onetime] = true (which occurs when running puppet agent -t), then puppet should exit with an error message Exiting; no certificate found and waitforcert is disabled and exit code 1, like it does today.
  10. If an agent submits a CSR, but doesn't have a client cert, and you run puppetserver ca clean --certname <agent>, then the next time the agent runs (or wakes up), it should successfully submit the CSR again.
  11. If an agent has a client cert, but you clean the agent (puppet ssl clean), and run puppet agent -t, then puppet should submit a new CSR, but result in an error that the server's CSR doesn't match the client's. It should be possible to run puppetserver ca clean --certname <agent> on the server, and when the agent next checks it, it should successfully submit the CSR. You shouldn't have to delete any files from the agent.

Josh Cooper (JIRA)

unread,
Mar 19, 2019, 12:11:03 AM3/19/19
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Release Notes Summary: Puppet now uses the SSL state machine to generate its private key, submit a CSR, and retrieve its client cert.
Release Notes: New Feature

Josh Cooper (JIRA)

unread,
Mar 20, 2019, 12:33:02 AM3/20/19
to puppe...@googlegroups.com
Josh Cooper commented on New Feature PUP-9459

Heston Hoffman (JIRA)

unread,
Mar 20, 2019, 4:51:03 PM3/20/19
to puppe...@googlegroups.com
Heston Hoffman updated an issue
 
Change By: Heston Hoffman
Labels: resolved-issue-added

Morgan Rhodes (JIRA)

unread,
Dec 3, 2019, 2:48:03 PM12/3/19
to puppe...@googlegroups.com
Morgan Rhodes updated an issue
Change By: Morgan Rhodes
CVE-ID: CVE-2018-11751
Reply all
Reply to author
Forward
0 new messages